[Snort-users] Configuration issue, Part II

John Sage jsage at ...2022...
Mon Sep 24 06:44:04 EDT 2001


Although I think Erek has something going with the real issue, here, 
questioning how *two* external interfaces are to work...

Erek Adams wrote:

> On Sun, 23 Sep 2001, DJDave Sobel wrote:
> 
>>First off, thanks to everyone who's lended a hand -- I do appreciate it.
>>Let me know where to send the coffee and/or beer...
>>
> 
> :)
> 
>>Now, to save bandwidth, I compiled my answers to everyone's questions
>>into this one email. :) Thus, those not interested only need ignore one
>>message.
>>
>>First off, to answer Erik Adams (erek at ...577...):
>>	Tell me where to send your beer... Snort is located on my Linux
>>router, so it's on a machine with 6 network interfaces.  Two are
>>connected to the Internet, and four are to the internal networks.  I use
>>ipchains to block various unfriendly traffic, and control who can see
>>
> Ahhhh....  I think I see a possible problem!  Have a look at this:
> 
> http://snort.sourcefire.com/docs/faq.html#4.3
> 
> Basically, snort sits 'behind' the ipchains and ipf programs.  They see the
> packets before snort does.  If you've got things setup to drop/deny packets
> that you are expecting to see with snort, then you won't.


<snip>

...let me say that this is *not* what I see.

With snort 1.8.1-RELEASE build 74, and ipchains 1.3.9 (I know, I know..) 
on RHL 6.2, ipchains quite busily DENY's or ACCEPT's as appropriate, and 
snort happily logs everything, DENY'ed or not.

Maybe if Marty or someone is lurking, they can comment on what the FAQ says:

<snip>
Q: Snort is behind a firewall (ipf/pf/ipchains/ipfilter) and awfully 
quiet...

A: Your firewall rules will also block traffic to the snort processes.
<snip>

and how that reconciles with what I'm seeing.

I'm running snort thus:

snortREL -b -i ppp0 -c /usr/local/snort-1.8.1-RELEASE/snortREL.conf &

and my snortREL.conf points at my rules files that essentially log 
everything.



- John

-- 
John Sage
FinchHaven, Vashon Island, WA, USA
http://www.finchhaven.com/
mailto:jsage at ...2022...
"The web is so, like, five minutes ago..."





More information about the Snort-users mailing list